CERTStation Week In Review Transcript: week 4, 2017

Critical and high severity vulnerabilities have been discovered in Cisco TelePresence and Expressway collaboration products. Software updates has been released to patch these vulnerabilities. The most severe of them is a critical remote code execution vulnerability affecting the device driver in the kernel of Cisco TelePresence Multipoint Control Unit (MCU). The flaw can be exploited by a remote, unauthenticated attacker to trigger a buffer overflow and execute arbitrary code or cause a denial-of-service (DoS) condition. The bug identified as CVE-2017-3792, affects TelePresence MCU 5300 Series, MCU MSE 8510 and MCU 4500 when running version 4.3(1.68) or later of the software – versions prior to 4.3(1.68) are not impacted. Affected users have been advised to update to version 4.5(1.89). Denial of Service vulnerability has been discovered in Cisco TelePresence, specifically the Video Communications Server (VCS) software. The vulnerability can be exploited remotely without authentication. The same issue also affects the Expressway Series collaboration gateway. The flaw exists in all versions of the Cisco Expressway Series and TelePresence VCS software prior to X8.8.2. A separate advisory published by Cisco this week describes a high severity DoS vulnerability affecting the ASA CX Context-Aware Security module. An attacker can exploit the flaw to cause the module to no longer process traffic. Patches have yet to be released and there are no workarounds, but Cisco has provided some recommendations for limiting exposure. These weaknesses have been found during the resolution of support cases and Cisco is not aware of any exploits in the wild.

Security updates has been released by Apple to patch dozens of vulnerabilities in macOS, iOS, watchOS, tvOS, and Safari, as well as in the iCloud and iTunes for Windows applications. The newly released macOS Sierra 10.12.3 resolves 11 vulnerabilities in components such as apache_mod_php, Bluetooth, Graphics Drivers, Help Viewer, IOAudioFamily, Kernel, libarchive, and Vim. Most of the plugged issues could allow applications to execute arbitrary code, while others could allow malicious archives or web content to execute code. One of the bugs could allow an application to determine kernel memory layout. iOS, version 10.2.1 resolves 18 vulnerabilities in multiple components, including Auto Unlock, Contacts, Kernel, libarchive, WebKit, and Wi-Fi. WebKit was the most affected component, with no less than 12 flaws resolved in it, most of which were discovered by Google Project Zero researches. Affecting iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation and later, the patched security holes included one where Auto Unlock may unlock when Apple Watch is off the user's wrist, unexpected application termination when processing a maliciously crafted contact card, arbitrary code execution with kernel privileges, data exfiltration, popups being opened by malicious websites, and the possibility to manipulate an activation-locked device to briefly present the home screen. A total of 33 vulnerabilities were addressed with the release of watchOS 3.1.3, affecting all Apple Watch models. The issues were found in components such as Accounts, Audio, Auto Unlock, CoreFoundation, CoreGraphics, CoreMedia Playback, CoreText, Disk Images, FontParser, ICU, ImageIO, IOHIDFamily, IOKit, Kernel, libarchive, Profiles, Security, syslog, and WebKit. The vulnerabilities which are fixed could be exploited for execution of arbitrary code, to cause a denial of service, to gain root privileges, to automatically trust certificates, to overwrite existing files, to cause an unexpected system termination, to read kernel memory, to leak memory remotely. There’s also the issue where Auto Unlock could unlock when Apple Watch is off the user's wrist. The release of tvOS 10.1.1 was meant to resolve 12 vulnerabilities in Kernel, libarchive, and Webkit. Affecting Apple TV (4th generation). These could result in an application executing arbitrary code with kernel privileges, arbitrary code execution when unpacking a malicious archive, and data exfiltration and arbitrary code execution when processing maliciously crafted web content. No less than 12 bugs were patched in Safari 10.0.3, which is now available for download for OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12.3. While one of these was an address bar spoofing, 11 were found in Webkit and could result in data exfiltration and arbitrary code execution. Some of the Webkit issues were found to affect iCloud and iTunes for Windows too, and were addressed with the release of iCloud for Windows 6.1.1 and iTunes 12.5.5. The same four bugs affected both applications, resulting in arbitrary code execution.

Remote code execution vulnerability has been reported in Cisco WebEx browser extension, rated as critical. The vulnerability is discovered by Google Project Zero researcher Tavis Ormandy. Cisco’s initial fix does not appear to be complete, which has led to Google and Mozilla temporarily removing the add-on from their stores. While analyzing the WebEx extension for Chrome, which has roughly 20 million active users, Ormandy noticed that it works on any URL that contains a “magic” pattern. This allows an attacker to execute arbitrary code on the targeted WebEx user’s system by getting them to access a specially crafted website. Cisco tried to patch the security hole by limiting the magic URL to https://*.webex.com and https://*.webex.com.cn domains. Ormandy said the fix was acceptable, but pointed out that the vulnerability could still be exploited silently through a potential cross-site scripting (XSS) flaw on webex.com. Furthermore, even without the XSS, an attacker can still execute arbitrary code as long as the victim clicks “OK” when they are prompted to allow a WebEx meeting to launch on the malicious website. Mozilla representatives said they were unhappy with Cisco’s fix and pointed out that webex.com does not use HTTP Strict Transport Security (HSTS) and Content Security Policy (CSP). “If I'm an adversary and I can find a single XSS on that domain, all I need to do at any point in the future is intercept an outgoing HTTP request from Chrome, insert a 302 redirect, and I have an instant RCE on who knows how many machines?” noted April King, information security engineer at Mozilla. Others said they could still get Ormandy’s proof-of-concept (PoC) exploit to work even on the updated version. As a result, both Google and Mozilla have decided to remove the WebEx extension from their stores until Cisco releases a proper fix. “This is exactly the kind of ‘just visit this random website and now you have malware’ scenarios that we haven't seen in a while (on a large scale), and that we don't want to go back to,” said Filippo Valsorda, a researcher at CloudFlare. An advice on how to prevent these types of attacks in Chrome using browser profiles, published by Valsorda in a blog post.

Due to security reason, Google’s G Suite team announced that Gmail will soon stop allowing users to attach JavaScript (.js) files to emails. Currently, there are more than two dozen potentially dangerous file types that can’t be used as attachments in Gmail, including .exe, .jar, .sys, .scr, .bat, .com, .vbs and .cmd. Starting on February 13, 2017, .js files will also be added to the list. Users who attempt to attach these types of files will see a message informing them that the file has been blocked for security reasons. Users who may want additional information, a “Help” link will be provided. Users who need to send .js files for legitimate reasons, Google recommends using Drive, Cloud Storage or other file-sharing services. Ransomware has been increasingly using JavaScript (e.g. Ransom32, RAA) and significant spam campaigns delivering malicious .js files are not uncommon, which is probably why Google has decided to block these types of files.

On Thursday, the OpenSSL Project announced the availability of OpenSSL versions 1.1.0d and 1.0.2k, which address a total of four low and moderate severity vulnerabilities. CVE-2017-3731 refers to a vulnerability which allows an attacker to trigger an out-of-bounds read using a truncated packet and crash an SSL/TLS server or client running on a 32-bit host. The bug reported in mid-November by Google security researcher Robert Swiecki, affects both the 1.1.0 and 1.0.2 branches when certain ciphers are used, specifically the ChaCha20-Poly1305 for version 1.1.0 and RC4-MD5 for 1.0.2. Both OpenSSL branches are also affected by a carry propagation bug in the x86_64 Montgomery squaring procedure (CVE-2017-3732). A successful attack relying on a carry propagation bug can allow an attacker to recover encryption keys. However, in this case, the OpenSSL Project said elliptic curve (EC) algorithms are not affected and attacks against RSA and DSA are difficult to carry out. “Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline,” the OpenSSL Project said in its advisory. “The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients.” A similar flaw to CVE-2015-3193 which is reported earlier this month by Google’s OSS-Fuzz project, which OpenSSL patched in December 2015. Denial of service vulnerability identified as CVE-2017-3730, affects the 1.1.0 branch. A malicious server that supplies bad parameters for a DHE or ECDHE key exchange can cause the client to crash. The flaw, reported recently by Guido Vranken, was fixed by OpenSSL developers before knowing that it had security implications. OpenSSL 1.0.2k also addresses a low severity vulnerability that was patched in the 1.1.0 branch in November. Currently, the only supported versions of OpenSSL are 1.0.2 and 1.1.0. Version 1.0.1 no longer receives security updates since January 1.